sakula | 0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e

General

Target

0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe
Size

101KB
MD5

2692ec65a90620db8d016bbf671413f2
SHA1

bf09a997f52037d2b11f1a9010ddc451ccefcbe2
SHA256

0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e
SHA512

948a879b720d2ecb4e29f8805ca5f86774f7518ceb7828cd84f3350ff31d7164e6809fa99381c11ff5a90f6a17e95243cef33fe0ed077ec779c5d0351633be8b
SSDEEP

1536:0oaj1hJL1S9t0MIeboal8bCKxo7h0RP0IwHNz30rtroGCry:P0hpgz6xGhTIwHF30BENry

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3332-133-0x0000000000C60000-0x0000000000C7B000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/4680-138-0x0000000000240000-0x000000000025B000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/3332-139-0x0000000000C60000-0x0000000000C7B000-memory.dmp	family_sakula
behavioral2/memory/4680-140-0x0000000000240000-0x000000000025B000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4680 MediaCenter.exe

pid	process
4680	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

864 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe

description pid process

Token: SeIncBasePriorityPrivilege 3332 0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe

pid	process
864	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.execmd.exe

description	pid	process	target process
PID 3332 wrote to memory of 4680	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe	MediaCenter.exe
PID 3332 wrote to memory of 4680	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe	MediaCenter.exe
PID 3332 wrote to memory of 4680	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe	MediaCenter.exe
PID 3332 wrote to memory of 456	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe	cmd.exe
PID 3332 wrote to memory of 456	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe	cmd.exe
PID 3332 wrote to memory of 456	3332	0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe	cmd.exe
PID 456 wrote to memory of 864	456	cmd.exe	PING.EXE
PID 456 wrote to memory of 864	456	cmd.exe	PING.EXE
PID 456 wrote to memory of 864	456	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe
"C:\Users\Admin\AppData\Local\Temp\0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a2a59874f8d6cab3c462d6cf4b2848acd069c529ce9672ea79e43c42cf4963e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
101KB

MD5
1c97ede69985eb26017d63081773f8a1

SHA1
f39a91ddf17a8e3331d5dc93c94ecddb87e96ea1

SHA256
e279c68acd2b411a0dabe154de32982e103474fd30341bc8429df2d30ded5d2d

SHA512
7aec8a73992efe1f9f55c9e6ab2c5494a065b3ac3da30901378a5eb63303dbaf84b0458768f7052ab6d3c228e75edc83de2831ca07e44144b5f7de62d291ed66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
101KB

MD5
1c97ede69985eb26017d63081773f8a1

SHA1
f39a91ddf17a8e3331d5dc93c94ecddb87e96ea1

SHA256
e279c68acd2b411a0dabe154de32982e103474fd30341bc8429df2d30ded5d2d

SHA512
7aec8a73992efe1f9f55c9e6ab2c5494a065b3ac3da30901378a5eb63303dbaf84b0458768f7052ab6d3c228e75edc83de2831ca07e44144b5f7de62d291ed66

Download Submit
memory/3332-133-0x0000000000C60000-0x0000000000C7B000-memory.dmp

Filesize
108KB

Download
memory/3332-139-0x0000000000C60000-0x0000000000C7B000-memory.dmp

Filesize
108KB

Download
memory/4680-138-0x0000000000240000-0x000000000025B000-memory.dmp

Filesize
108KB

Download
memory/4680-140-0x0000000000240000-0x000000000025B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads